Starburst Kafka connector#

The Starburst Kafka connector is an extended version of the Kafka Connector with configuration and usage identical. It includes security improvements, since the default security configuration of the Kafka connector does not use authentication or encryption when connecting to a Kafka service.

Note

The additional features of the connector require a valid Starburst Enterprise Presto license, unless otherwise noted.

Security#

The connector includes a number of security-related features, detailed in the following sections.

SSL authentication#

With SSL authentication, the Kafka server authenticates the Presto Kafka connector, also called “2-way authentication”. To use SSL add the following configuration to your catalog file.

kafka.security-protocol=SSL

Set the following configuration properties:

Required settings#

Property name

Description

kafka.ssl.truststore.location

Location of the SSL truststore file.

kafka.ssl.truststore.password

Password to the truststore file.

kafka.ssl.keystore.location

Location of the SSL keystore file.

kafka.ssl.keystore.password

Password to the keystore file.

kafka.ssl.key.password

Password of the private key stored in the keystore file.

Optional setting#

Property name

Description

kafka.endpoint-identification-algorithm

The endpoint identification algorithm used by Presto to validate the server host name. The default value is HTTPS. Presto verifies that the broker host name matches the host name in the broker’s certificate. To disable server host name verification use disabled.

Example configuration with SSL security protocol:

connector.name=kafka
...
kafka.security-protocol=SSL
kafka.ssl.truststore.location=/etc/secrets/kafka.broker.truststore.jks
kafka.ssl.truststore.password=truststore_passwrod
kafka.ssl.keystore.location=/etc/secrets/kafka.broker.keystore.jks
kafka.ssl.keystore.password=keystore_password
kafka.ssl.key.password=private_key_password

Kerberos authentication#

With SASL authentication, the Kafka server authenticates the Presto Kafka connector using the Kerberos service. This configuration is using non encrypted (non-encrypted) protocol. To use Kerberos (SASL) protocol add the following configuration to your catalog file.

kafka.security-protocol=SASL_PLAINTEXT

Set the following required configuration properties:

Required settings#

Property Name

Description

kafka.kerberos.client.principal

Kafka Kerboros client principal.

kafka.kerberos.client.keytab

Kafka Kerberos client keytab location.

kafka.kerberos.config

Kerberos service file location. Typically /etc/krb5.conf.

kafka.kerberos.service-name

The Kerberos principal name of Kafka service.

Example configuration with SASL security protocol:

connector.name=kafka
...
kafka.security-protocol=SASL_PLAINTEXT
kafka.kerberos.client.principal=kafka/broker1.your.org@YOUR.ORG
kafka.kerberos.client.keytab=/etc/secrets/kafka_client.keytab
kafka.kerberos.config=/etc/krb5.conf
kafka.kerberos.service-name=kafka

Kerberos authentication with SSL#

With SASL authentication, the Kafka server authenticates the Presto Kafka connector using the Kerberos service. This protocol uses SSL encryption.

To use Kerberos (SASL) with SSL protocol add the following configuration to your catalog file.

kafka.security-protocol=SASL_SSL

The following configuration properties have to be also set:

Property Name

Description

kafka.kerberos.client.principal

Kafka Kerboros client principal.

kafka.kerberos.client.keytab

Kafka Kerberos client keytab location.

kafka.kerberos.config

Kerberos service file location. Typically /etc/krb5.conf.

kafka.kerberos.service-name

The Kerberos principal name of Kafka service.

kafka.ssl.truststore.location

Location of the SSL truststore file.

kafka.ssl.truststore.password

Password to the truststore file.

kafka.ssl.keystore.location

Location of the SSL keystore file.

kafka.ssl.keystore.password

Password to the keystore file.

kafka.ssl.key.password

Password of the private key stored in the keystore file.

Example configuration with SASL_SSL security protocol:

connector.name=kafka
...
kafka.security-protocol=SASL_SSL
kafka.kerberos.client.principal=kafka/broker1.your.org@YOUR.ORG
kafka.kerberos.client.keytab=/etc/secrets/kafka_client.keytab
kafka.kerberos.config=/etc/krb5.conf
kafka.kerberos.service-name=kafka
kafka.ssl.truststore.location=/etc/secrets/kafka.broker.truststore.jks
kafka.ssl.truststore.password=truststore_passwrod
kafka.ssl.keystore.location=/etc/secrets/kafka.broker.keystore.jks
kafka.ssl.keystore.password=keystore_password
kafka.ssl.key.password=private_key_password